Add cisco nx-os configuration implementation

The packages provide a variety of configurations for the Cisco Nexus
9000 Platform.

Co-authored-by: Pujol <enric.pujol@sap.com>

Author: felix-kaestner

internal/provider/cisco/nxos/acl/acl.go

@@ -0,0 +1,127 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company
+// SPDX-License-Identifier: Apache-2.0
+
+package acl
+
+import (
+	"fmt"
+	"net/netip"
+
+	"github.com/openconfig/ygot/ygot"
+
+	nxos "github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/genyang"
+	"github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/gnmiext"
+)
+
+var _ gnmiext.DeviceConf = (*ACL)(nil)
+
+// ACL represents an access control list.
+type ACL struct {
+	// The items of the access control list.
+	Items []*Item
+}
+
+type Item struct {
+	// The name of the access list.
+	Name string
+	// A list of rules to apply.
+	Rules []*Rule
+}
+
+type Rule struct {
+	// The sequence number of the rule.
+	Seq uint32
+	// The action type of ACL Rule. Either 'permit' or 'deny'.
+	Action Action
+	// Source IP address or network. Use 'any' to match any source.
+	Source string
+	// Destination IP address or network. Use 'any' to match any target.
+	Destination string
+}
+
+//go:generate go tool stringer -type=Action
+type Action uint8
+
+const (
+	Permit Action = iota
+	Deny
+)
+
+// returns a single update forcing the removal of existing ACLs on the target device. Differential updates
+// are currently not applicable to ACLs; the entire tree must be replaced.
+func (a *ACL) ToYGOT(_ gnmiext.Client) ([]gnmiext.Update, error) {
+	items := &nxos.Cisco_NX_OSDevice_System_AclItems_Ipv4Items_NameItems{}
+	items.PopulateDefaults()
+	for _, i := range a.Items {
+		aclList := items.GetOrCreateACLList(i.Name)
+		aclList.PopulateDefaults()
+		aclListItems := aclList.GetOrCreateSeqItems()
+		aclListItems.PopulateDefaults()
+
+		for _, r := range i.Rules {
+			aceList := aclListItems.GetOrCreateACEList(r.Seq)
+			aceList.PopulateDefaults()
+			// seq
+			aceList.SeqNum = ygot.Uint32(r.Seq)
+			// action
+			var action nxos.E_Cisco_NX_OSDevice_Acl_ActionType
+			switch r.Action {
+			case Permit:
+				action = nxos.Cisco_NX_OSDevice_Acl_ActionType_permit
+			case Deny:
+				action = nxos.Cisco_NX_OSDevice_Acl_ActionType_deny
+			default:
+				return nil, fmt.Errorf("acl: invalid action type: %s", r.Action)
+			}
+			aceList.Action = action
+			// src
+			src, err := parse(r.Source)
+			if err != nil {
+				return nil, err
+			}
+			aceList.SrcPrefix = ygot.String(src.Addr().String())
+			aceList.SrcPrefixLength = ygot.Uint8(uint8(src.Bits())) //nolint:gosec
+			// dst
+			if r.Destination == "" {
+				r.Destination = "any"
+			}
+			dst, err := parse(r.Destination)
+			if err != nil {
+				return nil, err
+			}
+			aceList.DstPrefix = ygot.String(dst.Addr().String())
+			aceList.DstPrefixLength = ygot.Uint8(uint8(dst.Bits())) //nolint:gosec
+		}
+	}
+	return []gnmiext.Update{
+		gnmiext.ReplacingUpdate{
+			XPath: "System/acl-items/ipv4-items/name-items",
+			Value: items,
+		},
+	}, nil
+}
+
+// parse a CIDR string and returns it's [netip.Prefix].
+// If the CIDR is "any", it returns '0.0.0.0/0' as the default.
+func parse(cidr string) (p netip.Prefix, err error) {
+	p = netip.PrefixFrom(netip.AddrFrom4([4]byte{0, 0, 0, 0}), 0)
+	if cidr != "any" {
+		p, err = netip.ParsePrefix(cidr)
+		if err == nil && !p.IsValid() {
+			err = fmt.Errorf("acl: invalid network CIDR: %s", cidr)
+		}
+	}
+	return
+}
+
+func (v *ACL) Reset(_ gnmiext.Client) ([]gnmiext.Update, error) {
+	items := &nxos.Cisco_NX_OSDevice_System_AclItems_Ipv4Items_NameItems{}
+	items.PopulateDefaults()
+
+	return []gnmiext.Update{
+		gnmiext.ReplacingUpdate{
+			XPath: "System/acl-items/ipv4-items/name-items",
+			Value: items,
+		},
+	}, nil
+}

internal/provider/cisco/nxos/acl/acl_test.go

@@ -0,0 +1,79 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company
+// SPDX-License-Identifier: Apache-2.0
+
+package acl
+
+import (
+	"testing"
+
+	nxos "github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/genyang"
+	"github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/gnmiext"
+)
+
+func Test_ACL(t *testing.T) {
+	a := &ACL{
+		Items: []*Item{
+			{
+				Name: "ACL-SNMP-VTY",
+				Rules: []*Rule{
+					{
+						Seq:    10,
+						Action: Permit,
+						Source: "10.0.0.0/8",
+					},
+				},
+			},
+		},
+	}
+
+	got, err := a.ToYGOT(&gnmiext.ClientMock{})
+	if err != nil {
+		t.Errorf("unexpected error: %v", err)
+	}
+
+	if len(got) != 1 {
+		t.Errorf("expected 1 key, got %d", len(got))
+	}
+
+	update, ok := got[0].(gnmiext.ReplacingUpdate)
+	if !ok {
+		t.Errorf("expected value to be of type ReplacingUpdate")
+	}
+
+	if update.XPath != "System/acl-items/ipv4-items/name-items" {
+		t.Errorf("expected key 'System/acl-items/ipv4-items/name-items' to be present")
+	}
+
+	items, ok := update.Value.(*nxos.Cisco_NX_OSDevice_System_AclItems_Ipv4Items_NameItems)
+	if !ok {
+		t.Errorf("expected value to be of type *nxos.Cisco_NX_OSDevice_System_AclItems_Ipv4Items_NameItems")
+	}
+
+	if len(items.ACLList) != 1 {
+		t.Errorf("expected 1 ACL, got %d", len(items.ACLList))
+	}
+
+	if len(items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList) != 1 {
+		t.Errorf("expected 1 rule, got %d", len(items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList))
+	}
+
+	if items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].Action != nxos.Cisco_NX_OSDevice_Acl_ActionType_permit {
+		t.Errorf("expected action to be 'permit', got %v", items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].Action)
+	}
+
+	if *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].SrcPrefix != "10.0.0.0" {
+		t.Errorf("expected source prefix to be '10.0.0.0', got %v", *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].SrcPrefix)
+	}
+
+	if *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].SrcPrefixLength != 8 {
+		t.Errorf("expected source mask to be '8', got %d", *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].SrcPrefixLength)
+	}
+
+	if *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].DstPrefix != "0.0.0.0" {
+		t.Errorf("expected source prefix to be '0.0.0.0', got %v", *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].DstPrefix)
+	}
+
+	if *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].DstPrefixLength != 0 {
+		t.Errorf("expected source mask to be '0', got %d", *items.ACLList["ACL-SNMP-VTY"].SeqItems.ACEList[10].DstPrefixLength)
+	}
+}

internal/provider/cisco/nxos/acl/action_string.go

@@ -0,0 +1,105 @@
+// SPDX-FileCopyrightText: 2025 SAP SE or an SAP affiliate company
+// SPDX-License-Identifier: Apache-2.0
+
+package api
+
+import (
+	"errors"
+
+	"github.com/openconfig/ygot/ygot"
+
+	nxos "github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/genyang"
+	"github.com/ironcore-dev/network-operator/internal/provider/cisco/nxos/gnmiext"
+)
+
+var _ gnmiext.DeviceConf = (*GRPC)(nil)
+
+type GRPC struct {
+	// Enable the gRPC agent on the switch. The default is false.
+	Enable bool
+	// The port number for the grpc server. The range of port-id is from 1024 to 65535. 50051 is the default.
+	Port uint32
+	// Enable the gRPC agent to accept incoming (dial-in) RPC requests from a given VRF.
+	// If left empty, the management VRF processes incoming RPC requests when the gRPC feature is enabled.
+	Vrf string
+	// The certificate trustpoint ID.
+	Trustpoint string
+	// GNMI configuration.
+	GNMI *GNMI `json:"gnmi,omitempty"`
+}
+
+type GNMI struct {
+	// The maximum number of concurrent gNMI calls that can be made to the gRPC server on the switch for each VRF.
+	// Configure a limit from 1 through 16. The default limit is 8.
+	MaxConcurrentCall uint16
+	// Configure the keepalive timeout for inactive or unauthorized connections.
+	// The gRPC agent periodically sends an empty response to the client. If this response fails to deliver to the client, then the connection stops.
+	// The default interval value is 600 seconds. You can configure to change the keepalive interval with the interval range of 600-86400 seconds.
+	KeepAliveTimeout uint32
+	// Configure the minimum sample interval for the gNMI telemetry stream.
+	// Once per stream sample interval, the switch sends the current values for all specified paths. The supported sample interval range is from 1 through 604,800 second.
+	// The default sample interval is 10 seconds.
+	MinSampleInterval uint32
+}
+
+// ToYGOT converts the GRPC configuration to a slice of gNMI updates.
+func (g *GRPC) ToYGOT(_ gnmiext.Client) ([]gnmiext.Update, error) {
+	if !g.Enable {
+		return []gnmiext.Update{
+			gnmiext.EditingUpdate{
+				XPath: "System/fm-items/grpc-items",
+				Value: &nxos.Cisco_NX_OSDevice_System_FmItems_GrpcItems{AdminSt: nxos.Cisco_NX_OSDevice_Fm_AdminState_disabled},
+			},
+		}, nil
+	}
+
+	if g.Port == 0 {
+		g.Port = 50051
+	}
+
+	if g.GNMI == nil {
+		g.GNMI = &GNMI{}
+	}
+
+	if g.GNMI.MaxConcurrentCall == 0 {
+		g.GNMI.MaxConcurrentCall = 8
+	}
+
+	if g.GNMI.KeepAliveTimeout == 0 {
+		g.GNMI.KeepAliveTimeout = 600
+	}
+
+	if g.GNMI.MinSampleInterval == 0 {
+		g.GNMI.MinSampleInterval = 10
+	}
+
+	var vrf *string
+	if g.Vrf != "" {
+		vrf = ygot.String(g.Vrf)
+	}
+
+	return []gnmiext.Update{
+		gnmiext.EditingUpdate{
+			XPath: "System/fm-items/grpc-items",
+			Value: &nxos.Cisco_NX_OSDevice_System_FmItems_GrpcItems{AdminSt: nxos.Cisco_NX_OSDevice_Fm_AdminState_enabled},
+		},
+		gnmiext.EditingUpdate{
+			XPath: "System/grpc-items",
+			Value: &nxos.Cisco_NX_OSDevice_System_GrpcItems{
+				Cert:   ygot.String(g.Trustpoint),
+				Port:   ygot.Uint32(g.Port),
+				UseVrf: vrf,
+				GnmiItems: &nxos.Cisco_NX_OSDevice_System_GrpcItems_GnmiItems{
+					MaxCalls:          ygot.Uint16(g.GNMI.MaxConcurrentCall),
+					KeepAliveTimeout:  ygot.Uint32(g.GNMI.KeepAliveTimeout),
+					MinSampleInterval: ygot.Uint32(g.GNMI.MinSampleInterval),
+				},
+			},
+		},
+	}, nil
+}
+
+// returns an empty update and an error indicating that the reset is not implemented
+func (v *GRPC) Reset(_ gnmiext.Client) ([]gnmiext.Update, error) {
+	return []gnmiext.Update{}, errors.New("grpc: reset not implemented as it effectively disables management over gNMI")
+}